shorewall.8

sharewall is very good

.sp
if
\fB\-c\fR
is included, the command
\fBshorewall\-lite show capabilities \-f > /var/lib/shorewall\-lite/capabilities\fR
is executed via ssh then the generated file is copied to
\fIdirectory\fR
using scp\&. This step is performed before the configuration is compiled\&.
.sp
If
\fB\-r\fR
is included, it specifies that the root user on
\fIsystem\fR
is named
\fIroot\-user\-name\fR
rather than "root"\&.
.sp
The
\fB\-C\fR
option determines the compiler to use (Shorewall\-shell or Shorewall\-perl)\&. If not specified, the SHOREWALL_COMPILER setting in
\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2(5) determines the compiler to use\&.
.RE
.PP
\fBreset\fR
.RS 4
All the packet and byte counters in the firewall are reset\&.
.RE
.PP
\fBrestart\fR
.RS 4
Restart is similar to
\fBshorewall start\fR
except that it assumes that the firewall is already started\&. Existing connections are maintained\&. If a
\fIdirectory\fR
is included in the command, Shorewall will look in that
\fIdirectory\fR
first for configuration files\&.
.sp
The
\fB\-n\fR
option causes Shorewall to avoid updating the routing table(s)\&.
.sp
The
\fB\-p\fR
option causes the connection tracking table to be flushed; the
\fBconntrack\fR
utility must be installed to use this option\&.
.sp
The
\fB\-f\fR
option suppresses the compilation step and simply reused the compiled script which last started/restarted Shorewall\&.
.sp
The
\fB\-C\fR
option determines the compiler to use (Shorewall\-shell or Shorewall\-perl)\&. If not specified, the SHOREWALL_COMPILER setting in
\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2(5) determines the compiler to use\&.
.if n \{\
.sp
.\}
.RS 4
.BM yellow
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBWarning\fR
.ps -1
.br
If you use Shorewall\'s multi\-ISP feature, you are stronly advised against using the \-C option of the
\fBrestart\fR
command when switching between Shorewall\-shell and Shorewall\-perl\&. The only supported way to switch compilers is to
\fBshorewall stop\fR
followed by
\fBshorewall start \-C\fR
\fIcompiler\fR
.sp .5v
.EM yellow
.RE
.RE
.PP
\fBrestore\fR
.RS 4
Restore Shorewall to a state saved using the
\fBshorewall save\fR
command\&. Existing connections are maintained\&. The
\fIfilename\fR
names a restore file in /var/lib/shorewall created using
\fBshorewall save\fR; if no
\fIfilename\fR
is given then Shorewall will be restored from the file specified by the RESTOREFILE option in
\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2(5)\&.
.RE
.PP
\fBsafe\-restart\fR
.RS 4
Only allowed if Shorewall is running\&. The current configuration is saved in /var/lib/shorewall/safe\-restart (see the save command below) then a
\fBshorewall restart\fR
is done\&. You will then be prompted asking if you want to accept the new configuration or not\&. If you answer "n" or if you fail to answer within 60 seconds (such as when your new configuration has disabled communication with your terminal), the configuration is restored from the saved configuration\&. If a directory is given, then Shorewall will look in that directory first when opening configuration files\&.
.sp
The
\fB\-C\fR
option determines the compiler to use (Shorewall\-shell or Shorewall\-perl)\&. If not specified, the SHOREWALL_COMPILER setting in
\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2(5) determines the compiler to use\&.
.if n \{\
.sp
.\}
.RS 4
.BM yellow
.it 1 an-trap
.nr an-no-space-flag 1
.nr an-break-flag 1
.br
.ps +1
\fBWarning\fR
.ps -1
.br
If you use Shorewall\'s multi\-ISP feature, you are stronly advised against using the \-C option of the
\fBsafe\-restart\fR
command when switching between Shorewall\-shell and Shorewall\-perl\&. The only supported way to switch compilers is to
\fBshorewall stop\fR
followed by
\fBshorewall safe\-start \-C\fR
\fIcompiler\fR
.sp .5v
.EM yellow
.RE
.RE
.PP
\fBsafe\-start\fR
.RS 4
Shorewall is started normally\&. You will then be prompted asking if everything went all right\&. If you answer "n" or if you fail to answer within 60 seconds (such as when your new configuration has disabled communication with your terminal), a shorewall clear is performed for you\&. If a directory is given, then Shorewall will look in that directory first when opening configuration files\&.
.sp
The
\fB\-C\fR
option determines the compiler to use (Shorewall\-shell or Shorewall\-perl)\&. If not specified, the SHOREWALL_COMPILER setting in
\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2(5) determines the compiler to use\&.
.RE
.PP
\fBsave\fR
.RS 4
The dynamic blacklist is stored in /var/lib/shorewall/save\&. The state of the firewall is stored in /var/lib/shorewall/\fIfilename\fR
for use by the
\fBshorewall restore\fR
and
\fBshorewall \-f start\fR
commands\&. If
\fIfilename\fR
is not given then the state is saved in the file specified by the RESTOREFILE option in
\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2(5)\&.
.RE
.PP
\fBshow\fR
.RS 4
The show command can have a number of different arguments:
.PP
\fBactions\fR
.RS 4
Produces a report about the available actions (built\-in, standard and user\-defined)\&.
.RE
.PP
\fBcapabilities\fR
.RS 4
Displays your kernel/iptables capabilities\&. The
\fB\-f\fR
option causes the display to be formatted as a capabilities file for use with
\fBcompile \-e\fR\&.
.RE
.PP
[ [ \fBchain\fR ] \fIchain\fR\&.\&.\&. ]
.RS 4
The rules in each
\fIchain\fR
are displayed using the
\fBiptables \-L\fR
\fIchain\fR
\fB\-n \-v\fR
command\&. If no
\fIchain\fR
is given, all of the chains in the filter table are displayed\&. The
\fB\-x\fR
option is passed directly through to iptables and causes actual packet and byte counts to be displayed\&. Without this option, those counts are abbreviated\&. The
\fB\-t\fR
option specifies the Netfilter table to display\&. The default is
\fBfilter\fR\&.
.sp
If the
\fBt\fR
option and the
\fBchain\fR
keyword are both omitted and any of the listed
\fIchain\fRs do not exist, a usage message is displayed\&.
.RE
.PP
\fBclassifiers|filters\fR
.RS 4
Displays information about the packet classifiers defined on the system as a result of traffic shaping configuration\&.
.RE
.PP
\fBconfig\fR
.RS 4
Dispays distribution\-specific defaults\&.
.RE
.PP
\fBconnections\fR
.RS 4
Displays the IP connections currently being tracked by the firewall\&.
.RE
.PP
\fBlog\fR
.RS 4
Displays the last 20 Shorewall messages from the log file specified by the LOGFILE option in
\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2(5)\&. The
\fB\-m\fR
option causes the MAC address of each packet source to be displayed if that information is available\&.
.RE
.PP
\fBmacros\fR
.RS 4
Displays information about each macro defined on the firewall system\&.
.RE
.PP
\fBmangle\fR
.RS 4
Displays the Netfilter mangle table using the command
\fBiptables \-t mangle \-L \-n \-v\fR\&.The
\fB\-x\fR
option is passed directly through to iptables and causes actual packet and byte counts to be displayed\&. Without this option, those counts are abbreviated\&.
.RE
.PP
\fBnat\fR
.RS 4
Displays the Netfilter nat table using the command
\fBiptables \-t nat \-L \-n \-v\fR\&.The
\fB\-x\fR
option is passed directly through to iptables and causes actual packet and byte counts to be displayed\&. Without this option, those counts are abbreviated\&.
.RE
.PP
\fBraw\fR
.RS 4
Displays the Netfilter raw table using the command
\fBiptables \-t raw \-L \-n \-v\fR\&.The
\fB\-x\fR
option is passed directly through to iptables and causes actual packet and byte counts to be displayed\&. Without this option, those counts are abbreviated\&.
.RE
.PP
\fBtc\fR
.RS 4
Displays information about queuing disciplines, classes and filters\&.
.RE
.PP
\fBzones\fR
.RS 4
Displays the current composition of the Shorewall zones on the system\&.
.RE
.RE
.PP
\fBstart\fR
.RS 4
Start shorewall\&. Existing connections through shorewall managed interfaces are untouched\&. New connections will be allowed only if they are allowed by the firewall rules or policies\&. If a
\fIdirectory\fR
is included in the command, Shorewall will look in that
\fIdirectory\fR
first for configuration files\&. If
\fB\-f\fR
is specified, the saved configuration specified by the RESTOREFILE option in
\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2(5) will be restored if that saved configuration exists and has been modified more recently than the files in /etc/shorewall\&. When
\fB\-f\fR
is given, a
\fIdirectory\fR
may not be specified\&.
.sp
The
\fB\-n\fR
option causes Shorewall to avoid updating the routing table(s)\&.
.sp
The
\fB\-p\fR
option causes the connection tracking table to be flushed; the
\fBconntrack\fR
utility must be installed to use this option\&.
.sp
The
\fB\-C\fR
option determines the compiler to use (Shorewall\-shell or Shorewall\-perl)\&. If not specified, the SHOREWALL_COMPILER setting in
\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2(5) determines the compiler to use\&.
.RE
.PP
\fBstop\fR
.RS 4
Stops the firewall\&. All existing connections, except those listed in
\m[blue]\fBshorewall\-routestopped\fR\m[]\&\s-2\u[3]\d\s+2(5) or permitted by the ADMINISABSENTMINDED option in
\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2(5), are taken down\&. The only new traffic permitted through the firewall is from systems listed in
\m[blue]\fBshorewall\-routestopped\fR\m[]\&\s-2\u[3]\d\s+2(5) or by ADMINISABSENTMINDED\&.
.sp
The
\fB\-f\fR
option was added in Shorewall 4\&.0\&.3\&. If
\fB\-f\fR
is given, the command will be processed by the compiled script that executed the last successful
\fBstart\fR,
\fBrestart\fR
or
\fBrefresh\fR
command if that script exists\&.
.RE
.PP
\fBstatus\fR
.RS 4
Produces a short report about the state of the Shorewall\-configured firewall\&.
.RE
.PP
\fBtry\fR
.RS 4
If Shorewall is started then the firewall state is saved to a temporary saved configuration (\FC/var/lib/shorewall/\&.try\F[])\&. Next, if Shorewall is currently started then a
\fBrestart\fR
command is issued; otherwise, a
\fBstart\fR
command is performed\&. if an error occurs during the compliation phase of the
\fBrestart\fR
or
\fBstart\fR, the command terminates without changing the Shorewall state\&. If an error occurs during the
\fBrestart\fR
phase, then a
\fBshorewall restore\fR
is performed using the saved configuration\&. If an error occurs during the
\fBstart\fR
phase, then Shorewall is cleared\&. If the
\fBstart\fR/\fBrestart\fR
succeeds and a
\fItimeout\fR
is specified then a
\fBclear\fR
or
\fBrestore\fR
is performed after
\fItimeout\fR
seconds\&.
.sp
The
\fB\-C\fR
option determines the compiler to use (Shorewall\-shell or Shorewall\-perl)\&. If not specified, the SHOREWALL_COMPILER setting in
\m[blue]\fBshorewall\&.conf\fR\m[]\&\s-2\u[1]\d\s+2(5) determines the compiler to use\&.
.RE
.PP
\fBversion\fR
.RS 4
Displays Shorewall\'s version\&. If the
\fB\-a\fR
option is included, the versions of Shorewall\-shell and/or Shorewall\-perl will also be displayed\&.
.RE
.SH "FILES"
.PP
/etc/shorewall/
.SH "See ALSO"
.PP
\m[blue]\fBhttp://www\&.shorewall\&.net/starting_and_stopping_shorewall\&.htm\fR\m[]
.PP
shorewall\-accounting(5), shorewall\-actions(5), shorewall\-blacklist(5), shorewall\-hosts(5), shorewall\-interfaces(5), shorewall\-ipsec(5), shorewall\-maclist(5), shorewall\-masq(5), shorewall\-nat(5), shorewall\-netmap(5), shorewall\-params(5), shorewall\-policy(5), shorewall\-providers(5), shorewall\-proxyarp(5), shorewall\-route_rules(5), shorewall\-routestopped(5), shorewall\-rules(5), shorewall\&.conf(5), shorewall\-tcclasses(5), shorewall\-tcdevices(5), shorewall\-tcrules(5), shorewall\-tos(5), shorewall\-tunnels(5), shorewall\-zones(5)
.SH "Notes"
.IP " 1." 4
shorewall.conf
.RS 4
\%http://www.shorewall.net/manpages/shorewall.conf.html
.RE
.IP " 2." 4
shorewall-interfaces
.RS 4
\%http://www.shorewall.net/manpages/shorewall-interfaces.html
.RE
.IP " 3." 4
shorewall-routestopped
.RS 4
\%http://www.shorewall.net/manpages/shorewall-routestopped.html
.RE